(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property 
Organization 
International Bureau 

(43) Internationa] Publication Date 
6 January 2005 (06.01.2005) 




PCT 



lililllllllillllllllllMIIIllNnilU 

(10) International Publication Number 

WO 2005/000397 Al 



(51) International Patent Classification 7 : A61N 1/372, 
1/08, A61B 5/00, G06F 19/00, H04L 9/30, 9/32, 9/08 

(21) International Application Number: 

PCT/US2004/0 19902 

(22) International Filing Date: 22 June 2004 (22.06.2004) 

(25) Filing Language: English 

(26) Publication Language: English 

(30) Priority Data: 

10/601/763 23 June 2003 (23.06.2003) US 

(71) Applicant (for all designated States except US): CAR- 
DIAC PACEMAKERS, INC. [US/US]; 4100 Hamline 
Avenue North, St Paul, MN 551 12 (US). 

(72) Inventors; and 

(75) Inventors/Applicants (for US only): VON A RX, Jeffrey, 
A. [US/US]; 2115 Emerson Avenue South, Minneapolis, 
MN 55405 (US). KOSHJOL, AUan, T. [US/US]; 6630 
Ruffed Grouse Road, Lino Lakes, MN 55014 (US). 
BANGE, Joseph, E. [US/US]; 832 Overlook Place, 
Eagan, MN 55123 (US). 



(74) Agents: STEFFEY, Charles, E. et al.; Schwegman, Lund- 
berg, Woessner & KJuth, P.O. Box 2938, Minneapolis, IS^J 
55402 (US). 

(81) Designated States (unless otherwise indicated, for every 
kind of national protection available): AE, AG, AL, AM, 
AT, AU, AZ, BA, BB, BG, BR, BW, BY, BZ, CA, CH, CN, 
CO, CR, CU, CZ, DE, DK, DM, DZ, EC, EE, EG, ES, FI, 
GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP, KE, 
KG, KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MA, MD, 
MG, MK, MN, MW, MX, MZ, NA, NI, NO, NZ, OM, PG, 
PH, PL, PT, RO, RU, SC, SD, SE, SG, SK, SL, SY, TJ, TM, 
TN, TR, TT, TZ, UA, UG, US, UZ, VC, VN, YU, ZA, ZM, 
ZW. 

(84) Designated States (unless otherwise indicated, for every 
kind of regional protection available): ARIPO (BW, GH, 
GM, KE, LS, MW, MZ, NA, SD, SL, SZ, TZ, UG, ZM, 
ZW), Eurasian (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), 
European (AT, BE, BG, CH, CY, CZ, DE, DK, EE, ES, FI, 
FR, GB, GR, IRJ, IE, IT, LU, MC, NL, PL, PT, RO, SE, SI, 
SK, TR), OAPI (BF, BJ, CF, CG, CI, CM, GA, GN, GQ, 
GW, ML, MR, NE, SN, TD, TG). 

[Continued on next page} 



(54) Title: SECURE TELEMETRY FOR IMPLANTABLE MEDICAL DEVICE 



OS 




(57) Abstract: A method and system for enabling secure communications between an implantable medical device (IMD) and an 
O external device (ED) over a telemetry channel. A telemetry interlock may be implemented which limits any communications between 
^ the ED and the IMD over the telemetry channel, where the telemetry interlock is released when the ED transmits an enable command 
Q to the IMD via a short-range communications channel requiring physical proximity to the IMD. As either an alternative or addition 
to the telemetry interlock, a data communications session between the IMD and ED over the telemetry channel may be allowed to 
occur only after the IMD and ED have been cryptographically authenticated to one other. 



WO 2005/000397 Al lililOUIIIIIIIIIIIIIUIIIIIIlllllllllIll 



Published: 

— with international search report 

— before the expiration of the time limit for amending the 
claims and to be republished in the event of receipt of 
amendments 



For two-letter codes and otfier abbreviations, refer to the "Guid- 
ance Notes on Codes and Abbreviations" appearing at the begin- 
ning of each regular issue of the PCT Gazette, 



WO 2005/000397 



PCT/US2004/019902 



SECURE TELEMETRY FOR 
IMPLANTABLE MEDICAL DEVICE 

Field of the Invention 

This invention pertains to implantable medical devices such as cardiac 
pacemakers and implantable cardioverter/defibrillators. In particular, the invention 
relates to a system and method for transmitting telemetry data from such devices. 

Background 

Implantable medical devices (IMDs), including cardiac rhythm management 
devices such as pacemakers and implantable cardioverter/defibrillators, typically have 
the capability to communicate data with an external device called an external 
programmer via a radio-frequency telemetry link. One use of such an external 
programmer is to program the operating parameters of an implanted medical device. 
For example, the pacing mode and other operating characteristics of a pacemaker are 
typically modified after implantation in this manner. Modern implantable devices also 
include the capability for bidirectional communication so that information can be 
transmitted to the programmer from the implanted device. Among the data that may 
typically be telemetered from an implantable device are various operating parameters 
and physiological data, the latter either collected in real-time or stored from previous 
monitoring operations. 

External programmers are commonly configured to communicate with an 1MD 
over an inductive link. Coil antennas in the external programmer and the MD are 
inductively coupled so that data can be transmitted by modulating a radio-frequency 
carrier waveform which corresponds to the resonant frequency of the two coupled 
coils. An inductive link is a short-range communications channel requiring that the 
coil antenna of the external device be in close proximity to the IMD, typically within a 
few inches. Other types of telemetry systems may utilize far-field electromagnetic 
radiation or other types of data links such as telephone lines or networks (including the 
internet) to enable communications over greater distances. Such long-range telemetry 
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allows the implantable device to transmit data to a remote monitoring unit or be 
programmed from a remote location. Long-range telemetry thus allows physicians to 
monitor patients and to conduct patient follow-ups from across the room or even 
across the world. 

5 Long-term telemetry for implantable medical devices, however, causes some 

special concerns which are no.t present with short-range telemetry. Communication 
with an implantable device over a short-range communications channel such as an 
inductive link requires that the external device be near the patient, so that the clinician 
knows whose implantable device is being programmed and the patient knows who is 

10 programming and receiving data from the implantable device. Long-range telemetry, 
on the other hand, does not require such physical proximity and allows the possibility 
of a physician inadvertently programming the wrong device. Communications with 
far-field electromagnetic radiation or over some kind of network also allows the 
communications to be intercepted by an unintended user, raising privacy concerns for 

15 the patient. A malicious user might even try to use the long-range telemetry system to 
re-program an implanted device. The present invention is a system and method for 
providing long-range telemetry which addresses these concerns. 

Summary 

20 The present invention relates to a method and system for enabling secure 

communications between an implantable medical device (IMD) and an external device 
(ED) over a telemetry channel. In one embodiment, a telemetry interlock is 
implemented which limits any communications between the ED and the IMD over the 
telemetry channel. The telemetry interlock is released when the ED transmits an 

25 enable command to the IMD via a short-range communications channel requiring 
physical proximity to the IMD. In another embodiment, a data communications 
session between the IMD and ED over the telemetry channel is allowed to occur only 
after the IMD and ED have been authenticated to one other. The IMD is authenticated 
to the ED when the ED receives a message from the IMD evidencing use of an 

30 encryption key expected to be possessed by the IMD, and the ED is authenticated to 
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the IMD when the IMD receives a message from the ED evidencing use of an 
encryption key expected to be possessed by the ED. 

Brief Description of the Drawings 

5 Fig. 1 is a block diagram of an exemplary telemetry system for an implantable 

medical device. 

Fig. 2 illustrates a secret key authentication protocol. 
Fig. 3 illustrates a public key authentication protocol. 
Fig. 4 illustrates a particular public key authentication protocol. 

10 

Detailed Description 
The present invention relates to a long-range telemetry system for implantable 
medical devices which guards against the possibility of malicious or inadvertent re- 
programming of an implanted device. In another aspect, the system may also provide 
15 for maintaining the confidentiality of data transmissions. Ensuring such patient safety 
and confidentiality may be accomplished using three separate techniques: encryption 
of data, authentication of the participants in a telemetry session, and telemetry 
interlock. 

20 1 . Encryption/Decryption 

Encryption refers to cryptographic algorithms which are used to encode 
messages in such a way that they cannot be read without possession of a special key 
that decrypts the message. Encryption of a message is performed by applying an 
encryption function to the message, where the encryption function is defined by a 

25 cryptographic algorithm and an encryption key. In the following descriptions and 
referenced drawings, such an encrypted message will be designated as E(m,k), where 
E is the encryption function, m is an unencrypted message, and k is the key used to 
encrypt the message. Decryption of a message involves the application of a reverse 
function D to an encrypted message m using a decryption key k, designated as D(m,k). 
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The encryption and decryption keys may be the same or different depending 
upon the type of cryptographic algorithm which is used. In secret key cryptography, 
both participants in a communication share a single secret key which is used for both 
encryption and decryption of a message. Thus a message m encrypted by a secret key 
5 encryption function E with a key k is recovered by applying the decryption function D 
with same key k: 

m = D(E(m,k),k) 

Well-known examples of secret key cryptographic algorithms are DES (Data 
Encryption Standard), AES (American Encryption Standard), triple-DES, and 
10 Blowfish. 

In public key cryptography, on the other hand, the encryption and decryption 
keys are different. In order to send a secure message using public key cryptography, 
the sender encrypts the message with the recipient's public key which is known to all 
authorized senders and may be widely-known to allow anyone to send a message. The 

15 message can then only be decrypted by the private key which corresponds to the public 
key used to encrypt the message, the private key being held by the message recipient 
and shared with no one else. Thus, a message encrypted with a public key encryption 
function E with a public key kl is recovered by applying the decryption function D 
with the corresponding private key k2: 

20 m = D(E(m,kl),k2) 

Each participant in a secure two-way communications session must therefore possess 
its own private key and know the other's public key. A well-known example of a 
public key cryptographic algorithm is RSA. 

Although either public key or secret key cryptography may be used to securely 

25 transmit data, public key cryptographic algorithms are much more computationally 
intensive. For this reason, it would usually be preferable to use secret key 
cryptography for the actual data communications between an implantable device and 
an external device. As explained below, however, public key cryptography may be 
advantageously used for authentication and to transmit the secret keys used for the data 

30 communications. 

4 
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2. Authentication 

Authentication refers to the mechanisms or protocols by which the participants 
in a communications session may reliably identify one another. An authentication 
5 protocol may be implemented using either secret key or public key cryptography to 
allow an implantable medical device (MD) and an external device (ED) to 
authenticate one another. A data communications session between the IMD and ED 
over the telemetry channel is allowed to occur only after the MD and ED have been 
authenticated to one other. With authentication by either public key or secret key 

10 cryptography, the IMD is authenticated to the ED when the ED receives a message 
from the MD evidencing use of an encryption key expected to be possessed by the 
MD, and the ED is authenticated to the MD when the IMD receives a message from 
the ED evidencing use of an encryption key expected to be possessed by the ED. 

In authentication by secret key cryptography, the MD is authenticated to the 

15 ED when the ED transmits a first message to the MD over the telemetry channel and 
receives in response a message derived from the first message which is encrypted by a 
secret key expected to be possessed by the IMD. The ED is then authenticated to the 
IMD when the MD transmits a second message to the ED over the telemetry channel 
and receives in response a message derived from the second message which is 

20 encrypted by a secret key expected to be possessed by the ED. 

An authentication protocol employing public key cryptography would work as 
follows. The MD is authenticated to the ED when the ED encrypts a first message 
with a public key having a corresponding private key expected to be possessed by the 
IMD, transmits the encrypted first message over the telemetry channel to the IMD, and 

25 receives in response a message from the MD derived from the first message which 
evidences possession of the corresponding private key by the MD. The ED is 
authenticated to the MD when the MD encrypts a second message with a public key 
having a corresponding private key expected to be possessed by the ED, transmits the 
encrypted second message over the telemetry channel to the ED, and receives in 

30 response a message from the ED derived from the second message which evidences 



WO 2005/000397 



PCT/US2004/019902 



possession of the corresponding private key by the ED. The messages derived from 
the first and second messages may include the first and second messages, respectively, 
along with identifying data such as identity codes for the ED and M). Rather than 
having separate transmissions for each, the IMD may transmit the message derived 
5 from the first message and the second message as a combined message (i.e., the 
message derived from the first message which is transmitted by the IMD would then 
include the second message). In one embodiment, the first and second messages 
include random numbers generated by the ED and IMD, respectively. The messages 
derived from the first and second messages would then either include the respective 
10 random number itself or a number derived therefrom (e.g., the random number 
incremented by one). In order to maintain confidentiality of the responses which 
authenticate one participant to the other, the messages derived from the first and 
second messages and which are transmitted by the IMD and ED, respectively, may be 
encrypted using the public keys of the ED and IMD, respectively. 

15 

3. Telemetry interlock 

As explained above, cryptographic techniques may be used both to authenticate 
the IMD and ED to one another and to securely transmit data. All cryptographic 
techniques, however, depend upon either the secret key or private key being kept 

20 secret. In order to give the patient added security with respect to long-range telemetry, 
a technique referred to herein as a telemetry interlock is employed. A telemetry 
interlock is a technique which limits any communications between the ED and the 
IMD over the long-range telemetry link until the interlock is released. The telemetry 
interlock is released by transmitting an enable command to the IMD via a short-range 

25 communications channel requiring physical proximity to the IMD. . In one 
embodiment, no information at all is allowed to be transmitted until the interlock is 
released. This is the more secure embodiment. In a second embodiment limited 
information is allowed, but programming of the device is not. This embodiment 
supports remote patient monitoring without the patient having to release the interlock. 
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One way of implementing the telemetry interlock is to use art inductive link as 
the short-range communications channel. As noted above, traditional implantable 
medical devices have an inductive telemetry link that is very short range (just a few 
inches). In this implementation of a telemetry interlock, the IMD hardware will 
require that an inductive link be established with keys exchanged inductively to release 
the long-range telemetry interlock. In one embodiment the release of the telemetry 
interlock would time out after a few tens of minutes, and again a wave of the inductive 
wand over the device would be needed to continue the session. In another 
embodiment the telemetry interlock would not expire until the end of the current 
telemetry session. 

Another way of implementing the telemetry interlock is to use the static 
magnetic field of a magnet as a short-range communications channel so that the 
telemetry interlock is released when a magnet is held near the IMD. This embodiment 
may be needed in cases where the IMD is not equipped with an inductive telemetry 
system. The doctor or other person trusted by the patient would then be required to 
wave a magnet over the implantable medical device to enable programming. Again 
the release of the interlock would expire after either some short duration of time or at 
the end of the present telemetry session. 

Both of these interlock techniques will stop malicious programming from a 
remote hacker because the interlock can only be released by someone physically very 
close to the patient. These interlock techniques will also stop unintentional 
programming by a valid user. Because a doctor or other authorized user may 
accidentally establish a telemetry session with the wrong device (long range telemetry 
will allow multiple patients to be in range of a doctor's programmer), having to wave 
an inductive wand or magnet over the device to enable programming would prevent 
the doctor from accidentally programming the wrong device. 

4. Secure data communications session 

Once authentication and release of the telemetry interlock have occurred, the 
IMD and the ED can proceed to communicate data over the long-range telemetry link 
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with each device knowing that the other is not an impostor. If the, data is sent in the 
clear during the data communications session, however, an eavesdropper could 
intercept the data and compromise the patient's privacy. It may therefore be desirable 
to encrypt some or all communications between the ED and the IMD during the data 
5 communications session. As stated earlier, secret key encryption is much less 
computationally intensive than public key encryption and is preferred for transmitting 
relatively large amounts of data. If secret key cryptography is used for authentication, 
the ED and IMD can use the same secret key for data transmission. If public key 
cryptography is used for authentication, secret key cryptography can be used for data 
10 communications, where one of either the ED or the IMD transmits to the other of 
either the ED or the IMD a secret session key encrypted by the latter' s public key. 
That secret session key can then be used by both participants to encrypt data. 

4. Exemplary hardware description 

15 Fig. 1 is a block diagram of the telemetry components of an implantable 

medical device 1 and two representative external devices 2 and 3. Each of the devices 
has a microprocessor or other type of controller designated 10, 20, or 30 for processing 
the digital data. Software or firmware executed by the controller in each device may 
implement various communications algorithms and protocols when transmitting or 

20 receiving messages, including the encryption, authentication, and telemetry interlock 
schemes described above. A data receiver and a data transmitter are interfaced to the 
controller in each of the devices for receiving and transmitting either a modulated 
carrier signal or a baseband signal. A demodulator or decoder for extracting digital 
data from the carrier signal or baseband signal is incorporated into each receiver. A 

25 modulator or encoder is incorporated into each transmitter for modulating the carrier 
signal with digital data or encoding the baseband signal. The data transmitted by each 
of the devices is digital data that can be transmitted directly as baseband data in certain 
types of data links or as a modulated carrier signal. In either case, the data is 
transmitted in the form of symbols representing one or more bits of information. For 

30 example, in on-off amplitude shift keying, each pulse represents either a one or a zero. 

8 
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Other modulation methods (e.g., M-ary modulation techniques) utilize symbols 
representing a greater number of bits. 

Each of the external devices 2 and 3 would typically be an external 
programmer which can both re-program and download data from the implantable 
5 device 1. The external device 3 is intended to represent a device designed for short- 
range telemetry via an inductive link where a coil C3 is interfaced to the receiver 35 
and transmitter 34 for inductively linking with a corresponding coil CI interfaced to 
the receiver 15 and transmitter 14 of the implantable device. The coil C3 would 
typically be incorporated into a wand for positioning close to the implantable device, 

10 while the coil CI is typically wrapped around the periphery of the inside of the 
implantable device casing. An example of an inductive link telemetry system for an 
external programmer and a cardiac pacemaker is described in U.S. Patent No. 
4,562,841, issued to Brockway et al. and assigned to Cardiac Pacemakers, Inc., the 
disclosure of which is hereby incorporated by reference. The external device 2 is 

15 intended to depict a device which communicates with the implantable device 1 over a 
long-range telemetry link, implemented with either far-field radio transmissions or 
over a network. For transmitting and receiving data between the devices over the 
long-range telemetry link, a data receiver 1 1 and a data transmitter 12 are interfaced to 
the controller in the implantable device 1, and a data receiver 21 and a data transmitter 

20 22 are interfaced to the controller in the external device 2. In the case of a far-field 
radio link, the receiver/transmitter pair of the implantable device 1 and external device 
2 are interfaced to antennas Al and A2, respectively. In the case where long-range 
telemetry is implemented over a network, the receiver/transmitter pair of external 
device 2 would be interfaced to a network connection, while the implantable device 

25 would 1 would be wirelessly interfaced to a repeater unit with a network connection. 

The implantable device 1 is also equipped with a magnetically actuated switch 
SI and associated pull-up resistor Rl which is interfaced to the controller 10. In this 
embodiment, the telemetry interlock may be released by either a command transmitted 
from the external device 3 over the inductive link formed by the coils CI and C3 or by 

30 actuation of the switch SI by proximity of an external magnet Ml may be used to 
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release the telemetry interlock. In other embodiments, the implantable device would 
perhaps only have one type of short-range communications channel for releasing the 
telemetry interlock, either a magnetically actuated switch or an inductive link 
telemetry system. Other types of short-range communications channels for releasing 
5 the telemetry interlock are also possible, including short-range telemetry systems 
implemented with a capacitive link or a physically actuated switch. 

5. Exemplary specific embodiments 

As described above, a system in accordance with the invention for providing 

10 secure long-range telemetry for an implantable medical device may include any one or 
all of the following: 1) a telemetry interlock released via a short-range 
communications channel, 2) an authentication protocol by which an external device 
and the implantable device can identify one other, and 3) encryption of the long-range 
telemetry communications to ensure patient privacy. The following are descriptions of 

1 5 exemplary schemes which incorporate those features. 

In one particular embodiment, the telemetry interlock technique described 
above is used as the sole means for providing security before the initiation of a long- 
range telemetry session, with no cryptographic authentication protocols being 
employed and the data sent in the clear. In another embodiment, only cryptographic 

20 authentication is used to provide security for initiating a long-range telemetry session, 
with no use of a telemetry interlock. In either of these embodiments, a long-range 
telemetry session can either be prevented entirely or limited to particular types of data 
transfers if no release of the telemetry interlock or cryptographic authentication occurs. 
For example, while it would probably not be desirable to allow an external device to 

25 program an implantable device via long-range telemetry without either release of a 
telemetry interlock or cryptographic authentication, certain types of data could still be 
allowed to be transferred from the implantable device, either with or without 
encryption. In another embodiment, neither cryptographic authentication nor a 
telemetry interlock is employed, but the implantable device uses either public key or 
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secret key encryption to send certain types of data to an external device over a long- 
range telemetry link. 

One example embodiment of a method or system for enabling secure 
communications between an implantable medical device (IMD) and an external device 
5 (ED) over a telemetry channel includes a telemetry interlock which limits any 
communications between the ED and the IMD over the telemetry channel, where the 
telemetry interlock is released by transmitting an enable command to the IMD via a 
short-range communications channel requiring physical proximity to the IMD. The 
IMD is authenticated to the ED when the ED receives a message from the IMD 
10 evidencing use of an encryption key expected to be possessed by the IMD, and the ED 
is authenticated to the IMD when the IMD receives a message from the ED evidencing 
use of an encryption key expected to be possessed by the ED. A data communications 
session between the IMD and ED over the telemetry channel is then allowed to occur 
; only after the MD and ED have been authenticated to one other Either public key or 

15 secret key cryptography can be used for the authentication. In another example 
embodiment, secure communications between IMD and an ED over a telemetry 
channel is provided solely by a telemetry interlock which is released by transmitting an 
enable command to the IMD via a short-range communications channel requiring 
physical proximity to the IMD, where data communications between the IMD and ED 

20 over the telemetry channel is limited until the telemetry interlock has been released. 

In another example embodiment, secure communications between an IMD and 
an ED over a telemetry channel is provided by authenticating the IMD to the ED when 
the ED receives a message from the IMD evidencing use of an encryption key 
expected to be possessed by the IMD, authenticating the ED to the IMD when the IMD 

25 receives a message from the ED evidencing use of an encryption key expected to be 
possessed by the ED, and allowing a data communications session between the IMD 
and ED over the telemetry channel to occur only after the IMD has been authenticated 
to the ED. In another embodiment, unilateral authentication is employed so that only 
one of either the IMD or the ED needs to be authenticated to the other before a data 

30 communications session is allowed to occur. For example, when an ED communicates 

11 
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with an IMD, it may authenticate the IMD so that the ED knows that it is gathering 
data from the correct device. However, the IMD may not need to authenticate the ED 
unless the ED tries to alter its state (re-program it). As long as the ED is only reading 
data, there is no safety concern (although there may be a privacy concern). 
5 Fig. 2 depicts a communications session between the external device 2 and the 

implantable device 1 over a long-range telemetry channel in an embodiment using a 
telemetry interlock and where authentication is performed with secret key 
cryptography. After the telemetry lock is released by an ENABLE command from the 
external device 3, the external device 2 transmits a message Ml encrypted by a secret 

10 key encryption algorithm using a key Kl. The implantable device 1 responds by 
decrypting the message to obtain Ml, modifying Ml in an agreed upon manner (e.g., 
incrementing the number Ml by one) to obtain Ml*, transmitting Ml* back to the 
implantable device encrypted by the key KL After decrypting the message to obtain 
Ml*, the external device 2 has authenticated the implantable device 1, as the latter has 

15 evidenced possession of the secret key Kl. The implantable device 1 at the same time 
sends a message M2 encrypted by secret key KL The external device 2 responds by 
decrypting the message to obtain M2, modifying M2 to obtain M2*, and transmitting 
M2* encrypted with key Kl back to the implantable device 1, thus authenticating the 
external device 2. The implantable device 1 then transmits a secret session key SK 

20 encrypted by key Kl . A data communications session may then ensue in which DATA 
is transmitted by either of the devices encrypted with the secret session key SK. In 
another embodiment, data is exchanged between the devices during the data 
communications session using the same secret key Kl as used for authentication. The 
session continues until one of the devices sends an end of session signal or a time-out 

25 occurs, at which point the telemetry interlock is re-activated. 

Fig. 3 depicts a communications session between the external device 2 and the 
implantable device 1 over a long-range telemetry channel in an embodiment using a 
telemetry interlock and where authentication is performed with public key 
cryptography. After the telemetry lock is released by an ENABLE command from the 

30 external device 3, the external device 2 transmits a message Ml encrypted by a public 

12 
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key encryption algorithm using a key PubKeyl having a corresponding private key 
thought to be possessed by the implantable device. The implantable device responds 
by decrypting the message with the private key corresponding to PubKeyl to obtain 
Ml and transmitting Ml back to the implantable device encrypted by a public key 
5 PubKey2 having a corresponding private key thought to be possessed by the external 
device 2. When the external device 2 decrypts the message with its private key and 
obtains Ml, the external device 2 has authenticated the implantable device 1, as the 
latter has evidenced possession of the private key corresponding to public key 
PubKeyl. The implantable device 1 at the same time sends a message M2 also 

10 encrypted by public key PubKey2. The external device 2 responds by decrypting the 
message with the private key corresponding to public key PubKey2 to obtain M2 and 
transmitting M2 encrypted with public key PubKeyl back to the implantable device 1, 
thus authenticating the external device 2 to the implantable device. The external 
device 2 also transmits a secret session key SK encrypted by encrypted with public key 

15 PubKeyl. A data communications session may then ensue using secret key 
cryptography in which DATA is transmitted by either of the devices encrypted with 
the secret session key SK. The session continues until one of the devices sends an end 
of session signal or a time-out occurs, at which point the telemetry interlock is re- 
activated. 

20 Fig. 4 depicts a communications session using a more specific embodiment of 

the authentication protocol illustrated in Fig. 3. It is assumed that the external device 2 
and the implantable device know each other's public authentication key. When an 
instigator (in this embodiment, the instigator is the external device 2) wants to 
establish an authenticated long-range telemetry session with an implantable device, it 

25 begins by encrypting its identity ID2 and a random number R A with the implantable 
device's public key PubKeyl. No listener except the intended recipient will be able to 
decrypt this information (even if the listener knows the recipient's public key) because 
no one except the intended recipient knows the recipient's private key. The recipient 
device decrypts this message with its private key. It then looks up the public key of 

30 the instigator PubKey2 and uses this to encrypt its identity ID 1, the random number 

13 
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Ra, and a second random number Rb. The recipient then transmits this encrypted 
information back to the instigator. Again, no one but the instigator is able to decrypt 
this information because no one but the instigator knows the instigator's private key. 
The instigator upon receiving back and verifying the random number it sent R A , now 

5 knows that the implantable device it is communicating with is in fact the intended 
device, because only the intended device could have decrypted and returned R A . The 
instigator then encrypts Rb with the recipient's public key PubKeyl and sends this 
back to the recipient. Upon receiving, decrypting, and verifying Rb, the recipient now 
knows that the instigator is in fact the holder of the correct private key, because only 

10 the holder of that private key could have decrypted and returned R B . Authentication 
has now occurred. Both sides of the communication session now know that its 
communication partner holds the proper private key. Note that in this embodiment, 
recording the authentication exchanges and retransmitting parts of the exchanges in an 
attempt to impersonate an authorized device would not work because random numbers 

15 were used by both participants in the authentication, and these will be different each 
time. 

Again, because a public key cryptographic algorithm is computationally 
expensive, it is only used in the embodiment of Fig. 4 for authentication at the start of 
each session, and the messages encrypted are of minimal size (typically a few hundred 

20 bits). The instigator transmits a secret session key SK encrypted with public key 
PubKeyl so that data communications session may be performed using secret key 
cryptography. In this embodiment, the secret session key SK is transmitted to the 
recipient device during authentication in the same frame that sends back R B . In this 
way the number of frames using public key encryption is reduced by one (and public 

25 key encryption is very computationally expensive). In a particular embodiment, the 
secret session key SK is 64 bits. Although a 64-bit key is easier to decipher than the 
128 bit public key, it is sufficient to provide security for the relative short duration of a 
typical telemetry session. The data communications session continues until one of the 
devices sends an end of session signal or a time-out occurs, at which point the 

30 telemetry interlock is re-activated. In another particular embodiment, the session key 
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expires at the end of each telemetry session, and a new key is chosenat random for the 
next session. 

Even using secret key cryptography for data communications, it still may not 
be feasible for an implantable medical device to encrypt or decrypt every message that 
5 it sends or receives. It is not easy for the present generation of cardiac rhythm 
management devices to encrypt real-time electrograms without adding significant 
latency to the transmission. In one embodiment, therefore, the implantable medical 
device only encrypts selective data and sends other data in the clear. For example, 
only the most sensitive patient data (such as patient name, social security number and 

10 diagnosis) may be encrypted. An encryption flag in the header of each data packet 
could indicate if the contents are encrypted or not. 

With either public key or secret key authentication, it is evidence of possession 
of a particular key which authenticates a device. In general, all authentication 
protocols are only as secure as the private keys in the case of public key cryptography 

15 and the secret keys in the case of secret key cryptography. For this reason the private 
or secret keys should be long (e.g., 128 bit in one embodiment). For added security, 
the private or secret key may be either hardwired into a device at the factory or 
generated internally by the device, and then prevented from being read out by 
telemetry. For example, a private key may be programmed into a device during 

20 manufacture, with its corresponding public key then included with the product 
documentation or obtainable through short-range inductive telemetry. A physician can 
then program the device's public key into a home monitor, a portable repeater, or a 
programmer. All external devices have unique public and private authentication keys 
as well, with the public key included with the product documentation. A physician can 

25 thus program a number of external device's public keys into an implantable device. In 
another embodiment, both implantable and external devices are capable of randomly 
generating new public/private key pairs by the RSA algorithm or through some other 
standard key pair generating algorithm. In this embodiment, new keys can be 
generated when the physician commands it via secure short-range inductive telemetry. 
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In a preferred embodiment, the authentication schemes described above only 
apply to the long-range telemetry link so that communication is always available in an 
emergency via short-range telemetry. For example, in case of a device reset, or some 
other fault that may cause the authentication keys to be corrupted, a long-range 
5 authenticated telemetry session will not be possible. In this case, short-range telemetry 
should still be available to reset the authentication keys. Another example of why 
short-range telemetry should be available without authentication is the traveling 
patient who needs device interrogation when away from his home physician. 

Although the invention has been described in conjunction with the foregoing 
10 specific embodiment, many alternatives, variations, and modifications will be apparent 
to those of ordinary skill in the art. Such alternatives, variations, and modifications are 
intended to fall within the scope of the following appended claims. 
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What is claimed is: 

1 . A system for enabling secure communications between an implantable medical 
device (IMD) and an external device (ED) over a telemetry channel, comprising: 

means for implementing a telemetry interlock which limits any 
communications between the ED and the IMD over the telemetry channel; 

means for releasing the telemetry interlock by transmitting an enable command 
to the IMD via a short-range communications channel requiring physical proximity to 
theMD; 

means for authenticating the JMD to the ED when the ED receives a message 
from the IMD evidencing use of an encryption key expected to be possessed by the 
IMD; 

means for authenticating the ED to the IMD when the IMD receives a message 
from the ED evidencing use of an encryption key expected to be possessed by the ED; 
and, 

means for allowing a data communications session between the IMD and ED 
over the telemetry channel to occur only after the IMD and ED have been 
authenticated to one other. 

2. A system for enabling secure communications between an implantable medical 
device (EMD) and an external device (ED) over a telemetry channel, comprising: 

means for implementing a telemetry interlock which is released by transmitting 
an enable command to the IMD via a short-range communications channel requiring 
physical proximity to the IMD; and, 

means for limiting data communications between the IMD and ED over the 
telemetry channel until the telemetry interlock has been released. 

3. The system of claim 2 wherein the short-range communications channel is an 
inductive communications link between the IMD and another device. 
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4. The system of claim 2 wherein the short-range communications channel is a 
switch within the IMD which is actuated by a magnet held in close proximity to the 
IMD to thereby release the telemetry interlock. 

5 5. A method for enabling secure communications between an implantable 
medical device (IMD) and an external device (ED) over a telemetry channel, 
comprising: 

implementing a telemetry interlock which limits any communications between 
the ED and the IMD over the telemetry channel; 
10 releasing the telemetiy interlock by transmitting an enable command to the 

IMD via a short-range communications channel requiring physical proximity to the 
IMD; 

authenticating the IMD to the ED when the ED receives a message from the 
IMD evidencing use of an encryption key expected to be possessed by the IMD; 
15 authenticating the ED to the IMD when the IMD receives a message from the 

ED evidencing use of an encryption key expected to be possessed by the ED; and, 

allowing a data communications session between the IMD and ED over the 
telemetry channel to occur only after the IMD and ED have been authenticated to one 
other. 

6. The method of claim 5 wherein the ED and the IMD are authenticated to one 
another using public key cryptography by: 

authenticating the IMD to the ED when the ED encrypts a first message with a 
public key having a corresponding private key expected to be possessed by the IMD, 
transmits the encrypted first message over the telemetry channel to the IMD, and 
receives in response a message from the IMD derived from the first message which 
thereby evidences possession of the corresponding private key by the IMD; and, 

authenticating the ED to the IMD when the IMD encrypts a second message 
with a public key having a corresponding private key expected to be possessed by the 
ED, transmits the encrypted second message over the telemetry channel to the ED, and 
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receives in response a message from the ED derived from the second message which 
thereby evidences possession of the corresponding private key by the ED. 

7. The method of claim 6 wherein the message derived from the first message 
5 includes the first message and wherein the message derived from the second message 

includes the second message. 

8. The method of claim 6 wherein the first and second messages include random 
numbers generated by the ED and IMD, respectively. 

10 

9. The method of claim 6 wherein the first and second messages include identity 
codes for the ED and IMD, respectively. 

10. The method of claim 6 wherein the messages derived from the first and second 
15 messages and which are transmitted by the IMD and ED, respectively, are encrypted 

using the public keys of the ED and IMD, respectively. 

11. The method of claim 6 wherein the message derived from the first message 
which is transmitted by the IMD includes the second message. 

20 

12. The method of claim 5 further comprising encrypting communications between 
the ED and IMD during the data communications session. 

1 3. The method of claim 6 further comprising encrypting communications between 
25 the ED and IMD during the data communications session with secret key 

cryptography, wherein the secret key data communications session is established by 
one of either the ED or the IMD transmitting to the other of either the ED or the IMD a 
secret session key encrypted by the latter' s public key. 
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14. The method of claim 5 wherein one of either the ED or the IMD is designated 
as a session instigator and the other of the ED or IMD is designated as a session 
recipient, the ED and the IMD are authenticated to one another using public key 
cryptography, and authentication is accomplished by: 
5 the instigator encrypting a first message with a public key having a 

corresponding private key expected to be possessed by the recipient, wherein the first 
message includes an identity code for the instigator and a random number R A , 

the instigator transmitting the encrypted first message over the telemetry 
channel to the recipient; 
10 the recipient decrypting the first message with its private key, looking up a 

public key having a corresponding private key expected to be possessed by the 
instigator using the identity code contained in the first message, and encrypting a 
second message with the public key of the instigator, wherein the second message 
includes an identity code for the recipient, the random number Ra, and a second 
15 random number Rb; 

the recipient transmitting the encrypted second message over the telemetry 
channel to the instigator; 

the instigator decrypting the second message with its private key corresponding 
to the public key used to encrypt the second message and verifying that the second 
20 message contains Ra to thereby authenticate the recipient; 

the instigator encrypting a third message derived from the second message with 
the public key of the recipient, wherein the third message includes the random number 
Rb; 

the instigator transmitting the encrypted third message over the telemetry 
25 channel to the recipient; and, 

the recipient decrypting the third message with its private key corresponding to 
the public key used to encrypt the third message and verifying that the third message 
contains R B to thereby authenticate the instigator. 
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15. The method of claim 14 further comprising encrypting communications 
between the instigator and the recipient during the data communications session with 
secret key cryptography, wherein the secret key data communications session is 
established by the instigator transmitting to the recipient a secret session key encrypted 

5 by the recipient's public key. 

1 6. The method of claim 15 wherein the secret session key is contained in the third 
message transmitted by the instigator. 

10 17. The method of claim 5 wherein the ED and the IMD are authenticated to one 
another using secret key cryptography by: 

authenticating the MD to the ED when the ED transmits a first message to the 
IMD over the telemetry channel and receives in response a message derived from the 
first message which is encrypted by a secret key expected to be possessed by the IMD; 

15 authenticating the ED to the IMD when the IMD transmits a second message to 

the ED over the telemetry channel and receives in response a message derived from 
the second message which is encrypted by a secret key expected to be possessed by the 
ED. 

20 18. The method of claim 5 wherein, after a data communications session ends, the 
telemetry interlock is re-activated to limit communications over the telemetry channel 
until the telemetry interlock is again released. 

19. The method of claim 5 wherein no communications between the ED and IMD 
25 are allowed to occur until the telemetry interlock is released. 

20. The method of claim 5 wherein a data communications session over the 
telemetry channel can be established which allows transmission of data from the IMD 
to the ED if the telemetry interlock is not released, but programming of the IMD by the 

30 ED cannot be performed unless the telemetry interlock is released. 
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21. The method of claim 5 wherein the telemetry channel is a far-field radio- 
frequency communications link. 

5 22. The method of claim 5 wherein the telemetry channel includes an internet link. < 



23. The method of claim 5 wherein the short-range communications channel is an 
inductive communications link between the IMD and another device. 

10 24. The method of claim 5 wherein the short-range communications channel is a 
switch within the IMD which is actuated by a magnet held in close proximity to the 
IMD to thereby release the telemetry interlock. 

25. A method for enabling secure communications between an implantable 
15 medical device (IMD) and an external device (ED) over a telemetry channel, 

comprising: 

implementing a telemetry interlock which is released by transmitting an enable 
command to the IMD via a short-range communications channel requiring physical 
proximity to the IMD; and, 
20 limiting data communications between the IMD and ED over the telemetry 

channel until the telemetry interlock has been released. 

26. The method of claim 25 wherein, after a data communications session over the 
telemetry channel ends, the telemetry interlock is re-activated to limit communications 

25 over the telemetry channel until the telemetry interlock is again released. 

27. The method of claim 25 wherein no communications between the ED and IMD 
are allowed to occur over the telemetry channel until the telemetry interlock is 
released. 
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28. The method of claim 25 wherein a data communications * session over the 
telemetry channel can be established which allows transmission of data from the IMD 
to the ED if the telemetry interlock is not released, but programming of the IMD by the 
ED cannot be performed unless the telemetry interlock is released. 

5 

29. The method of claim 25 wherein the short-range communications channel is an > 
inductive communications link between the IMD and another device. 

30. The method of claim 25 wherein the short-range communications channel is a 
10 switch within the IMD which is actuated by a magnet held in close proximity to the 

IMD to thereby release the telemetry interlock. 

31. A method for enabling secure communications between an implantable 
medical device (IMD) and an external device (ED) over a telemetry channel, 

15 comprising: 

authenticating the MD to the ED when the ED receives a message from the 
MD evidencing use of an encryption key expected to be possessed by the IMD; and, 

allowing a data communications session between the IMD and ED over the 
telemetry channel to occur only after the IMD has been authenticated to the ED. 

20 

32. The method of claim 3 1 further comprising: 

authenticating the ED to the IMD when the IMD receives a message from the 
ED evidencing use of an encryption key expected to be possessed by the ED; and, 

allowing a data communications session between the IMD and ED over the 
25 telemetiy channel to occur only after the IMD and ED have been authenticated to one 
other. 
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33 The method of claim 32 wherein the ED and the IMD are authenticated to one 
another using public key cryptography by: 

authenticating the IMD to the ED when the ED encrypts a first message with a 
public key having a corresponding private key expected to be possessed by the IMD, 
5 transmits the encrypted first message over the telemetry channel to the IMD, and 
receives in response a message from the IMD derived from the first message which 
thereby evidences possession of the corresponding private key by the IMD; and, 

authenticating the ED to the IMD when the IMD encrypts a second message 
with a public key having a corresponding private key expected to be possessed by the 
ED, transmits the encrypted second message over the telemetry channel to the ED, and 
receives in response a message from the ED derived from the second message which 
thereby evidences possession of the corresponding private key by the ED. 

34. The method of claim 32 wherein the ED and the IMD are authenticated to one 
another using secret key cryptography by: 

authenticating the IMD to the ED when the ED transmits a first message to the 
IMD over the telemetry channel and receives in response a message derived from the 
first message which is encrypted by a secret key expected to be possessed by the IMD; 

authenticating the ED to the IMD when the IMD transmits a second message to 
the ED over the telemetry channel and receives in response a message derived from 
the second message which is encrypted by a secret key expected to be possessed by the 
ED. 

35. A method for enabling secure communications between an implantable 
medical device (IMD) and an external device (ED) over a telemetry channel, 
comprising: 

authenticating the ED to the IMD when the IMD receives a message from the 
ED evidencing use of an encryption key expected to be possessed by the ED; and, 

allowing a data communications session between the IMD and ED over the 
telemetry channel to occur only after the ED has been authenticated to the IMD. 
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